Updated 4 months ago

Detect and Prevent QR Code Phishing in Microsoft 365

by Sruthy

4 min read

No Comments

As the world is getting modernized and digitized everywhere, attackers are discovering new techniques to bypass security and steal data. Considering Microsoft 365, MFA fatigue attacks brought huge impacts on organizations, which demands the presence of strong MFA authentication methods. Similarly, QR code phishing (quishing) attacks have risen as one of the top attacks after the post-COVID period. Thus, Microsoft continuously improves its detection and prevention techniques to prevent QR code phishing and block harmful threats in the organization. However, do you think every organization follows at least the basic security hygiene? Unfortunately, not!

Let’s see how the absence of basic security hygiene impacts the organization you can’t imagine!

What is a QR Code?

QR (Quick Response) code is a square barcode that can be scanned with a camera in a smartphone or other reading devices like scanners. The QR code contains information like website URLs, product info, etc. When you scan a QR code, it will redirect you to the websites and payment sites, prompting you to download apps, access files, and more.

How QR Codes are Used for Phishing Attacks?

As QR code gives contactless access, businesses prefer to use this more, especially during the COVID-19 pandemic. It helps users to easily make payments or access sites, files, etc., respecting the COVID-19 prevention restriction. Attackers utilize this technology by inserting a malicious QR code which redirects users to download suspicious apps, visit malicious websites, and more. Thus, they steal the victim’s data and login credentials effectively.

Find the various patterns of QR code phishing messages revealed by Defender for Office 365 below.

  • URL redirection
  • Minimal to no text (reducing signals for ML detection)
  • Abuse of known brands
  • Abuse of sending infrastructure known for sending legitimate emails
  • Embedding QR codes in attachments
  • A variety of social lures, including two-factor authentication, document signing, and more

Prevent QR code phishing

Why QR Codes are Often Preferred for Phishing Attacks?

QR codes are preferred by attackers as they are an easy way to redirect victims to malicious sites and download harmful apps, like URLs. Also, they can be easily handled by putting the URL in a location that is hard to detect. The main reasons for using QR codes in phishing attacks are,

  • They move the attack from well-secured corporate environments into the personally owned device, which is less secure.
  • They use URLs, a most common credential theft vector, to steal victim’s credentials.
  • QR codes can only be seen as images in the mail flow and are unreadable until rendered. Thus, it becomes a challenge for security providers to identify the malicious barcodes.

Phishing attacks related to QR codes are on the rise, according to the MSRC report on mid-September 2023. They have seen a 23% increase in these attacks within one week alone. Isn’t it threatening? Let’s dive into how to detect and block QR code phishing in Microsoft 365.

How Defender for Office 365 Detects QR Code Phishing?

Microsoft is constantly improving its techniques to provide organizations with the utmost security. There are various phishing detection techniques Microsoft Defender and Exchange Online protection with advanced capabilities. Let’s keep a keen eye on how to detect QR code phishing in Microsoft 365.

Image Detection in Exchange Online Protection

  • Defender for Office 365 and Exchange Online Protection detects a QR code in a message inline during mail flow using advanced image extraction technologies.
  • It extracts URL metadata from a QR code and feeds that signal into the existing threat protection and filtering capabilities for URLs.
  • The URL can also be sent to a sandbox environment for detonation, and malicious threats are detected and blocked before they reach a user’s mailbox.

Microsoft Defender Threat signal Detection

MS Defender and EOP use various mail flow signals to identify and act on a message. The QR code signal is used in combination with sender intelligence, message headers, content filtering, and recipient details, and the relationship between them is fed into machine learning algorithms to identify malicious content and respond accordingly.

URL Analysis in Microsoft Defender

The URLs extracted from QR codes are

  • Analyzed by machine learning models.
  • Checked against both internal & external sources of reputation.
  • For Microsoft Defender for Office 365 Plan 1/Plan 2 licenses are sandboxed for further investigation to assess the risk for detonation.

Heuristics-based Rules

Microsoft deploys heuristics rules within Defender for Office 365 and EOP which is a set of algorithms designed to detect and respond to security threats like spam, malware, and phishing based on their behavior. It provides an additional layer of protection to secure users from advanced threats by analyzing patterns and behaviors in data, indicating malicious intent.

How to Prevent QR Code Phishing Attacks in Microsoft 365?

As anyone can be an easy target of QR code phishing attacks, it is essential to implement security measures and safeguard sensitive data in the organization.

  • With native integration across endpoints, emails, cloud apps, etc., XDR (Extended Detection and Response) provides clear visibility, analytics, and automatic attack disruption against malicious actors.
  • Microsoft Defender XDR also avoids adversary-in-the-middle (AiTM) attacks, as it is crucial to steal account credentials in QR code phishing.
  • Microsoft Defender for Endpoint on Android and iOS has anti-phishing capabilities to block phishing sites and protect against malware being downloaded or installed through the URL link.
  • Utilize Attack simulation training to educate end users, and it makes them realize the signs of phishing attacks. Thus, it helps to prevent users from falling on attacks unknowingly.
  • Make sure that the essential Microsoft 365 security measures, such as enabling MFA, applying zero trust principles, etc., are followed and adjusted periodically as per the security requirements.
  • Also, monitor your configuration settings, manage and protect priority accounts, review mail flow rules, and track any unusual modifications made to your organization’s policies.
  • Ensure you have properly configured anti-spam, anti-malware, anti-phishing, safe attachments, and much more in your organization.
  • You can use the ‘submissions’ workflow to submit your false positive or false negative samples to Microsoft for further analysis.

I hope this blog will help you understand the importance of implementing proper security measures and the steps to detect and prevent QR code phishing in your organization. Stay updated and stay secure! Drop your queries through the comment section and let us know how you protect your tenant.

Share article